Simple
Membership introduced with ASP.NET Web Pages and
Web Matrix for simplifying task of authenticating users. Idea behind it to use
a minimalistic schema which can be easily customized to fit needs of application.
With Simple Membership, we can overcome the issues of full Membership System such
as limited to SQL Server or Active Directory. The rigid schema and extreme
difficulty of integrating external sources like OAuth and OpenID.
To
use Simple Membership, we need a connection string pointing to database which
will store user accounts. The configuration of Simple
Membership happens automatically with first request
to Account Controller class. It also pointed out that Account Controller class
is decorated with [InitializeSimpleMembership] attribute. Under the hood, [InitializeSimpleMembership]
attribute is calling the following
command:
WebSecurity.InitializeDatabaseConnection("DefaultConnection",
"UserProfile", "UserId", "UserName",
autoCreateTables: true);
The
code is in the Filters/InitializeSimpleMembershipAttribute.cs file, which implements the [InitializeSimpleMembership]
attribute.
InitializeDatabaseConnection()
method instruct the web application to
use database configured in DefaultConnection
connection string defined in Web.config.
The connection string points to Local DB we are using. The second and third
parameters in InitializeDatabaseConnection() call are the table and primary key column where user
accounts will be stored. The fourth parameter is column in table which stores user
name that identifies each user account. The fifth parameter defines whether the
Simple Membership tables will be created if they are absent in the database.
Using the ASP.NET Simple Membership
API
ASP.NET Simple Membership includes API which can be used to
programmatically to perform operations on user accounts like creating or
deleting accounts. These operations are encapsulated in methods located in WebSecurity class in the WebMatrix.WebData namespace.
Visual Studio already created code which handles common operations
like validation of user credentials and changing passwords in AccountController class. That’s why the action methods in AccountController class use the methods in the WebSecurity class to handle such operations.
The methods which handle the most common tasks of user account
using Simple Membership are listed and described below in Figure 1:
Figure 1. Common
methods in ASP.NET Simple Membership API
For
validating user credentials using Simple Membership, we use the Login() method
in the WebSecurity class as shown in Figure 2. The Login() method takes three
parameters: 1st is username, 2nd is password and 3rd
is a Boolean parameter which defines behavior of authentication cookie.
Figure 2. User credentials validation using
ASP.NET Simple Membership
Using the ASP.NET
Membership API
ASP.NET membership having complex schema than SimpleMembership. Once configured, we can use Membership API to
manage user accounts to create and delete accounts, assign accounts to roles,
etc. ASP.NET Membership API is defined by methods in Membership class in System.Web.Security namespace as the default membership provider in Internet
Application template is now Simple Membership.
Visual Studio does not generate any code which implements this
API.
As usual, we would implement user functionality in action methods
from a controller. The code is similar to the code implemented with Simple Membership but the method names and parameters are slightly
different. Figure 3 lists and describes most commonly used methods
in Membership class.
Figure 3. Common
Methods in ASP.NET Membership class
Following
are the typical process which occurs when user logs into the application:
1.
In login page, user enters user name
and password.
2.
The login page posts entered
credentials to server.
3.
The server validates credentials
against user account in database.
4.
If record found in database then a
cookie with security ticket is issued and if no record found then an error is
returned to user.
Using
ASP.NET Membership API, code is bit different. We use the ValidateUser() method
in Membership class. The ValidateUser()
method takes two arguments user name
and password and returns a Boolean value which indicates whether the validation
was successful or not. If validation was successful then previous
authentication cookie is removed and a new authentication cookie is created
using SetAuthCookie() method in FormsAuthentication
class. The codes shown in Figure 4 implements
ASP.NET Membership API to validate user credentials.
Figure 4. Validating User Credentials Using ASP.NET
Membership API
We
can use the CreateUser() method to create user. The method returns object of MembershipUser
type.
Example:
MembershipUser oMembershipUser =
Membership.CreateUser(model.UserName, model.Password, model.Email);
oMembershipUser.FirstName =
model.FirstName;
oMembershipUser.LastName =
modelLastName;
Membership.UpdateUser(oMembershipUser);
If
we are using the Simple Membership API then the WebSecurity
class has a CreateUserAndAccount() method
which allows us to create new user and account as follows:
WebSecurity.CreateUserAndAccount(model.UserName,
model.Password,
new { FirstName = model.FirstName,
LastName = model.LastName,
Email = model.Email },
false);
In
this case, we pass additional properties FirstName, LastName and Email as anonymous
object to CreateUserAndAccount() method. So, database table is filled with the information.
In
case of Membership.CreateUser(), method returns a MembershipUser
object and we need to use the object to
set values in FirstName and LastName properties and finally, we call Membership.UpdateUser() to
save values in database.
No comments:
Post a Comment